This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

With tcpdump if I want to capture all TCP connection attempts (whether successful or not) I use the following capture filter: tcp[tcpflags] & (tcp-syn) != 0 and if I want capture the start and end packetes (The SYN and FIN packets) of each TCP conversation that involves a non-local host I use: tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet How can I do these examples using Wireshark GUI (Creating capture filters)? Thanks in advance!

This question is marked "community wiki".

asked 08 Mar '13, 10:30

zig69's gravatar image

zig69
11336
accept rate: 0%

edited 08 Mar '13, 10:32


Assuming you're running Wireshark 1.8.x, you can open the capture options and double click on the interface you want to capture on. This will open another dialog where you can specify the capture filter.

On older versions, you'll see the capture filter input field right after opening the capture options dialog.

permanent link

answered 08 Mar '13, 10:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for your answer, but I already knew that, is trivial! I meant how to create the filters (syntax) for doing the same thing that I do with tcpdump...

(08 Mar '13, 11:12) zig69
1

Not sure what you're aiming at, but THAT capture filter box takes tcpdump syntax... just put it in there, just as you would for tcpdump. Did you ever try? It's trivial! ;-)

(08 Mar '13, 13:59) Jasper ♦♦

Yes, It's trivial but does not work! The filter: tcp[tcpflags] & (tcp-syn) != 0 works well but when I add the expression "and not src and dst net localnet" the capture filter field appears in red color and does not work (Of course) :-(

(11 Mar '13, 10:42) zig69

Wireshark does not know the term localnet

(11 Mar '13, 23:52) Kurt Knochner ♦

localnet is not a libpcap keyword, it is looked up by your system in /etc/networks. Even though you can add an entry to /etc/networks, it does not seem to be CIDR compatible, so if you are on a network that is not classfull, you will be out of luck anyway.

See also: http://www.winpcap.org/pipermail/winpcap-users/2011-November/004522.html

You will have to contruct the network address for your network yourself and can then use it like this (for 192.168.1.0/25):

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net 192.168.1.0/25
permanent link

answered 15 Mar '13, 04:57

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×184
×97
×40
×33

question asked: 08 Mar '13, 10:30

question was seen: 8,344 times

last updated: 15 Mar '13, 04:57

p​o​w​e​r​e​d by O​S​Q​A